Cybercriminals use deceased staff accounts to spread Nemty ransomware

silversurfer

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,154
Content source
https://www.zdnet.com/article/cybercriminals-use-deceased-staff-accounts-to-spread-nemty-ransomware/
Cybercriminals will often use brute-force attacks, phishing emails, and existing data dumps to break into corporate networks but there is one area that is often ignored to a company's detriment: ghost accounts.
It is not always the case that when a staff member leaves their employ, whether due to a new job offer, changes of circumstance, illness, or in unfortunate cases, death, that their accounts are removed from corporate networks.
This oversight is one that cybercriminals are now taking advantage of, and in a recent case, actively exploited in order to spread ransomware.
In a case study documented by Sophos' cyberforensics group Rapid Response on Tuesday, an organization reached out after being infected by Nemty ransomware.
According to Sophos, the ransomware -- also known as Nefilim -- impacted over 100 systems, encrypting valuable files and demanding payment in return for a decryption key. [...]
Click to expand...
"Ransomware is the final payload in a longer attack," noted Peter Mackenzie, Rapid Response manager. "It is the attacker telling you they already have control of your network and have finished the bulk of the attack. Identifying you are under a ransomware attack is easy, identifying the attacker was on your network a week earlier is what counts."
This particular case was a destructive one. A new user account was covertly created and added to the domain admin group in Active Directory, and this account was used to delete roughly 150 virtual servers and deploy Microsoft BitLocker to encrypt existing server backups, piling on the pressure for payment. However, the victim organization was able to restore its systems through offline backups.
The cybersecurity team asked who the high privilege administration account belonged to. The victim company said the account belonged to a former member of staff who passed away approximately three months before the cyberintrusion.
Instead of revoking access and closing down the 'ghost' account, the firm chose to keep it active and open "because there were services that it was used for."
Click to expand...
www.zdnet.com

Cybercriminals use deceased staff accounts to spread Nemty ransomware

Researchers explore how ‘ghost’ accounts can become targets for threat actors.
www.zdnet.com www.zdnet.com
 
  • Like
  • Wow
  • +Reputation
Reactions: Venustus, Andy Ful, upnorth and 3 others
You must log in or register to reply here.

Similar threads

Shadowra
    • Wow
    • Like
    • Sad
Malware News Ransomware attack on indie game maker wiped all player accounts
Replies
0
Views
988
Security News
Shadowra
Shadowra
Gandalf_The_Grey
    • Applause
    • Wow
    • +Reputation
Security News Ukraine arrests hackers trying to sell 100 million stolen accounts
Replies
0
Views
959
Security News
Gandalf_The_Grey
Gandalf_The_Grey
[correlate]
    • Like
    • Wow
Akira ransomware targets Cisco VPNs to breach organizations
Replies
0
Views
1,148
News Archive
[correlate]
[correlate]

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top